I to have encountered the dreaded “Windows XP Recovery” virus.
I worked most all of yesterday, till 4am this morning trying to recover from this.
During my futile effort, I have ran the following programs;
1. Roguefix
2. Avira AntiVir
3. Malwarebytes Anti-Malware
4. Super AntiSpyware
5. Spybot
I have been able to regain my desktop (I think) back, however, when trying to access programs from the start menu, most say “empty”
Not really sure I have completely eliminated this virus.

Additonal problems found include;
-Internet Explorer will flash once then not open, if I start it “without add-ons” it will come up and display “Internet Explorer is currently running without add-ons”.
There is a bar at the top of the screen showing the “click here to manage add-ons”
If I click on the “home page” button, IE will bring up my homepage (google).
If I “x” the above bar, once I go to another page, the bar will show up again.

Additional steps taken include running “unhide” – was able to see some of my files.
Reran again, little to no improvement.
Did receive an “PEV” is not recognized as an internal or external command, operable program or batch file.
Then received the “Finished” box and selected OK

During the troubleshooting of this, I noticed that you requested that a copy of the DDS log file be included, see below.

I have also ran ERUNT, as state in before you post area.

I have also included in log file from Spybot, see below. Note, this is the 2nd run of Spybot.
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Frank at 12:55:06 on 2011-05-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3067.2153 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
c:\drivers\audio\r211990\stacsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\WINDOWS\system32\dleacoms.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Dell V310-V510 Series\dleamon.exe
C:\Program Files\Dell V310-V510 Series\ezprint.exe
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Frank\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - c:\program files\dell toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - c:\program files\dell toolbar\toolband.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [tSfkTNduxrPpGPr.exe] c:\docume~1\frank\locals~1\temp\tSfkTNduxrPpGPr.exe
uRun: [UtYUtxpPbB] c:\documents and settings\all users\application data\UtYUtxpPbB.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [HPWQTOOLBOX] c:\program files\hewlett-packard\hp deskjet 9800 series\toolbox\HPWQTBX.exe "-i"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [dleamon.exe] "c:\program files\dell v310-v510 series\dleamon.exe"
mRun: [EzPrint] "c:\program files\dell v310-v510 series\ezprint.exe"
mRun: [Dell V310-V510 Series Fax Server] "c:\program files\dell v310-v510 series\fm3032.exe" /s
mRun: [MyGarminAgent] c:\program files\garmin\mygarminagent\MyGarminAgent.exe
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.15/uploader2.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
scrfile="%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
============= FINISH: 12:56:37.48 ===============


Spybot Report Below;

--- Report generated: 2011-05-30 11:48 ---

Yontoo.Pagerage: [SBI $73A90B7D] Settings (Registry key, fixed)
HKEY_CLASSES_ROOT\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}

Yontoo.Pagerage: [SBI $2DBD7A06] Settings (Registry key, fixed)
HKEY_CLASSES_ROOT\AppID\YontooIEClient.DLL

Yontoo.Pagerage: [SBI $0C44E8A1] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}

Yontoo.Pagerage: [SBI $B8CFDDD6] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}

Yontoo.Pagerage: [SBI $F3C9A203] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}

Yontoo.Pagerage: [SBI $93314514] Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}

Yontoo.Pagerage: [SBI $9297A7A9] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api

Yontoo.Pagerage: [SBI $9297A7A9] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1

Yontoo.Pagerage: [SBI $9297A7A9] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Yontoo.Pagerage: [SBI $EFBC03B1] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers

Yontoo.Pagerage: [SBI $EFBC03B1] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1

Yontoo.Pagerage: [SBI $EFBC03B1] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Yontoo.Pagerage: [SBI $EFBC03B1] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Yontoo.Pagerage: [SBI $BAC2B4A8] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc

Yontoo.Pagerage: [SBI $71FBD431] Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Yontoo.Pagerage: [SBI $EE582247] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{3E454121-D681-4BBE-AC01-9D4DC40D2A04}

Yontoo.Pagerage: [SBI $F5FA984A] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{4E4AE263-5CE6-4307-84B6-B9BFF5729A44}

Yontoo.Pagerage: [SBI $A00897AC] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}

Yontoo.Pagerage: [SBI $03B3DE2C] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}

Yontoo.Pagerage: [SBI $AF934D1A] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}

Yontoo.Pagerage: [SBI $38897F2F] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Yontoo.Pagerage: [SBI $445502D3] Program directory (Directory, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\

Yontoo.Pagerage: [SBI $D204305F] Library (File, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Yontoo.Pagerage: [SBI $9FBE075A] Library (File, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Yontoo.Pagerage: [SBI $4F1A22FC] Data (File, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Yontoo.Pagerage: [SBI $B7965EF0] Executable (File, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Yontoo.Pagerage: [SBI $69165085] Picture (File, fixed)
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Fraud.HDDDefragmenter: [SBI $CFE71EA7] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-2492541491-1451489431-2766994577-1005\Software\12B79064-EB17-4f82-9DFE-B975BD26D1DC

Fraud.WindowsRecovery: [SBI $9C8FE954] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-2492541491-1451489431-2766994577-1005\Software\75fa38b7-8b94-4995-ad32-52e938867954

Fraud.WindowsRecovery: [SBI $597FC39E] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-2492541491-1451489431-2766994577-1005\Software\BD

MyFreezeToolbar: [SBI $D951AE6E] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}

MyFreezeToolbar: [SBI $B2610ABA] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Microsoft.WindowsSecurityCenter.FirewallOverride: [SBI $0C94D702] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride

Search-Explorer: Interface (IPugiObj) (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{20ED5AF7-D9C4-409E-9EB3-D2A44A77FB6D}


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-05-30 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-05-17 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-05-24 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-05-24 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-05-10 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-05-17 Includes\Trojans.sbi (*)
2011-05-11 Includes\TrojansC-02.sbi (*)
2011-05-11 Includes\TrojansC-03.sbi (*)
2011-05-24 Includes\TrojansC-04.sbi (*)
2011-05-25 Includes\TrojansC-05.sbi (*)
2011-05-24 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Forgot on original post to attach the attach.zip file.
Sorry.....it's been a long day :sick:

Hi msff4u,

Your post is a few days old. If you still need help simply reply back.

Yes I still need some help.
Thank you for taking the time to help

First read this guide about combofix, on another computer if you have to:
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) We will use it later.

Next: Download rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com) to the compromised machine
double click it and let it run, It only terminates certain processes it dosnt remove them so dont reboot yet.

"Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step."


Download combofix to your desktop and run it. Post the log in your reply. If it gives you problems you can try running it in safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list: safe mode, log into your usual account. Once at the safe mode desktop run combofix. post the log.

See how that goes. Let me know what you were able to do or not do. I wont be back on line for 18 or so hours. Good luck.

Shelf Life,
First thanks for helping me out with this. Sure will be glad to get this fix and get back on line.
First off, downloaded and ran RKill with no ill effects.
Next, downloaded and tried to run Combofix.
Initially tried to run this from normal log in on desktop. The program started but it hung.
I then tried to perform a normal reboot, however, it would not reboot. I then performed a "hard" boot. The computer came back up, I went into Safe Mode.
I then tried to run ComboFix again, this time I got a blue screen.
Again, I had to perform a "hard" boot. When the computer came back up, I went into "Safe" mode again.
This time I was able to get ComboFix to run to completion. The only problem that was incountered this time was that I could not access the internet, thus, ComboFix was not able to download the "Recovery Console".
I did not have any additional problems after completion.
I have attached the ComboFix.txt file as directed.
Again, thanks for all your help and time with my problem.

hi

ok good. Check malwarebytes for updates and do a scan with it. We will also get another download to use:

Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop

Double click to launch the utility. Vista and Windows 7 right click and "run as admin.." After it initializes click the start scan button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."


If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.

A report can also be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)

Please post the log report

Thanks for the reply, just got home and have to be back in @530 am. Will run these programs when I get home tomorrow.

ok, no problem.

Well, here we go,
First off, I can not access my wireless network, each time I try, the connection manager shows "firewalled". I have even turned windows firewall off, still no luck. Guess, I still have a problem.
I did run Malwarebyte, I was not able to update the database. Even though it was 10 days old, it did find 3 virus.
I have attached the log file.
I then rebooted and ran TDSSKiller, it found another virus. Selected continue and then rebooted.
The log file from that is also attached. Sorry, but had to zip it to get it to upload. It was 56k and could only upload a 48k file.
Just a couple of OBTW's, I still think that something is lurking around. When I select any program from the start menu, it still show's "empty".
My desktop looks normal, but it does not seem quite right.
Anyways, we are making progress, so I really do appreicate all of your help.
Look forward to seeing what needs to be done next.
Thanks.....

ok thanks for the info. TDSSkiller removed a rootkit.
If you right click on Start, chose Explore, click on Windows folder than the System32 folder. Then find cmd.exe in the files listed to the right- and double click it.
In the shell window that opens at the cursor type in:

ipconfig /all > C:\results.txt

You will find the results.txt log in your rootdrive C:
Please post the log.

If you have a router and a modem you can try this: turning the modem off, also the router, wait 30 seconds or so then turn the modem back on, then the router. While they power back up restart your computer.


connection manager shows "firewalled"Is Windows managing the wireless connection or do you have a third party software installed, if its third party you would see a icon by the clock you could click on to get info and details.

The start menu is most likely a leftover from the scareware.
Which we will try to fix.

Here is the IPConfig log.
I still can not connect wirelessly, I can connect if I plug into the modem.
Not sure if that helps or not.
Again, thanks for all your help

Here is the IPConfig log.
I still can not connect wirelessly, I can connect if I plug into the modem.
Not sure if that helps or not.
I am using the Intel PROSET/Wireless connection manager. I can not see it in the program listing.
Again, thanks for all your help

Are you able to see the items from the start panel? If so start>control panel>network connections. Double click the network connection icon and on the wireless icon, right click on it and make sure its "enabled" and not disabled.

Was able to get my connection working last night after I posted.
I wanted to see if I could get on the net at all, so I plugged into the modem and was able to make a "hardwire" connection.
Once I knew I could connect, I then went to control panel->add/remove programs->[selected] Intel Proset->then selected repair.
I was then able to make a wireless connection. I then rebooted to see if there would be any change, there was not. Seems to have fixed that problem.:bigthumb:
Still have the issue of nothing showing up on the start menu once you hover on a program, i.e. [All Programs]->[Windows Live]->[empty] :confused:
Thanks for all of your help with this.....you are my HERO.....:crowned:

Download this (http://download.bleepingcomputer.com/reg/shell.reg) to your desktop, double click and allow it to merge into the registry.

Done. It went in with no problem, I guess :confused:

Is your start menu any better now?

NO. Still showing EMPTY whenever I select something.
The only things that are showing are the items that I have just recently done. Such as Malwarebytes. Items such as Microsoft still show empty when I hover over them.:sick:

Do you have two AV installed, Mcafee and Avast? Only need one AV per machine. Two is not better in this case. If so you should remove one via the add/remove programs panel.
so the only things that show in the start panel are ones you recently used?
It looks like the attached screenshot?

You are correct, my start panel looks like what you sent.
I have removed the Avast, do I need to turn the auto scan features of Malware & Spybot off?
I have also included screen shot (screen shot.zip) of my start menu and also of the add/remove screen. Though that might help.
Again, thanks for all the help........

Malwarebytes and Spybot are not antivrus so you can have both those running. For the start menu you can try this:
Go to start>run and copy/paste whats below in the Run window, click ok or enter. Reboot your computer and see if that helped.

regsvr32 /i shell32.dll

No joy.
I copy and pasted as instructed, showed succeded, rebooted, still the same results.... rats.....

Download this. (http://www.kellys-korner-xp.com/regs_edits/nodesktop.reg) Save it to your desktop, doubleclick it and allow it to merge into the registry.
You can also try this (http://support.microsoft.com/kb/886549) by clicking on the Fix It botton and downloading it to your desktop, then double click it.

I tried both items suggested. I downloaded installed and rebooted the first one, then the other.
No luck with either one.
I went back and started checking each program from the add/remove screen. Some programs do have a "repair" feature, others don't. The "repair" feature is what I used to get the IntelProset to work. Would this be advisable to try that with the programs that have it?

ok. Yet another thing to try. Double click the My Computer icon on the desktop. Right click on your documents folder icon and select properties. Next to Attributes: make sure that Hidden is not checked.

I checked per your instructions, nothing was checked.
I have included another screen shot, maybe this will reveal something.

ok thanks. check the same thing for your folder, the one you show is All Users.
If you right click on start>explore, in the left column right click on your folder>properties and check the attributes.

Per your request, checked properties, were not checked.
I also checked various folders and they were not checked either.
See attached.

One more thing to try (http://windowsxp.mvps.org/reg/shellfolders.reg). Download to your desktop and double click to merge into the registry.

Well, some luck as before. No changes. :sad:

Well we have tried several different things. I assume it would have been a registry fix. Let me get a second look at the logs you posted.

Dont see any malware. You sent a screenshot of your add/remove programs panel a few posts back. It looked ok to me. Whats wrong with it?
Another download to try. (http://download.bleepingcomputer.com/grinler/unhide.exe)

Sorry for the delay, worked late last night.
O.K., do you need me to try and re-run any of the logs?

No problem. The link in my last post is for the start menu issue. You can try running combofix again, I think you had to run it in safe mode last time if I remember. You can try running it again normally first, then go to safe mode if you have to. If you can run it normally it will update itself first. If you cant run it normally then boot into safe mode and this time chose the option safe mode with networking. This is so combofix can get the updates before running.

I will run Combofix again and let you know what happens.

Well, ran Combofix from the normal window, no luck. The strange thing is that when you look at the properties of a program link from the start menu, it shows 0 bytes and no directory, however, I can find and run that program if I tunnel down to the program folder it self.
I have attached the latest log file from combofix. :sad:

The log looks ok. Scareware often uses these tricks but running antimalware and/or registry fixes will correct them. Running combofix was to check for any malware again and I didnt see any. The other fixes were registry fixes which havent worked.
Try this (http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip) Extract it to your desktop and double click to run it.

Your not going to believe this.....no luck.
Saved it to desktop, shut down all av programs, double clicked it, asked if I wanted to install, said yes, showed successful. Rebooted and then no luck.
Let me say this.....thank you very much for all the help so far, sure hope we can get this cleared up so that you can help someone else.

ok I see you have Superantispyware. It has some repair features you can try but iam pretty sure these are going to be reg fixes which we have already tried. If they dont work then we can try copying a user profile or manually copying them back in. Kind of tedious but you could do it just for apps you use most often.

Launch SAS and from the main window click on preferences then the repairs tab. You can try by clicking on these listed below then select Perform Repair:
Remove Explorer Policy Restrictions
Reset Winlogon Shell
Probably have to reboot after each one.

Well, no luck at all. I even tried running a couple of the other repair features of SAS, but still no luck.
Let me ask this, there couldn't still be some sort of cover or protector over the top of the "All Users" profile, could there?
Everytime I ran the SAS repair, after reboot, at the start menu, it showed "new program installed". When I looked at the "all programs" list, I did not see any new programs installed, everything still shows "empty".

Thats why we combofix again, as another check for malware. I assume thats what you mean. If you havent recently run malwarebytes check for updates first then rerun it. also please rescan and post a new DDS log since its been awhile since the last one. Maybe something new will show up in those.
Is the menu empty for all the user profiles?

O.K., I checked each profile on the computer and it appears that all common files are showing empty. Then if there is a program that is loaded under just one profile, it may or maynot show up. I totally don't understand.
Attached are the files from Malware and DDS.
BTW, when the computer starts up now, it shows the F8 screen - start up in safe mode or normal mode. It has normal mode selected, then passes on thru. This screen just shows long enough to see it, then the computer finishes booting without further incident.

Is your head hurting yet.....:slap:....I know mine is

Dosn't hurt yet, getting close though. All those recent logs look ok. Do you want to do a system restore? A point in time before the start menu problem? Malwarebytes does a pretty good job of cleaning any potential malware out of them. I assume it all started with the malware and you could chose a point before then to restore to. At this point it may be worth a try because I dont see any malware and we have run several registry repair tools.

It looks like that might be the only thing left to try.
Guess it can't hurt anything any worse then it all ready is.

ok. If you haven't done it yet here is directions (http://support.microsoft.com/kb/306084) you can follow.

Well, guess what, no luck...imagine that.
I included a couple of files I thought might help.

No luck with that. The two reg dumps look similar to my own. Using explorer if you go to C:\Program Files, do you see all the program folders listed and if you double click one of them on the right you see the .exe and other files in the folders?

Yes, when I use explorer, I can see the program folder, and all the sub folders. When I open one of the sub folders, I can see what appears to be all the associated files.
I just went to the [microsoft office] folder and was able to open [excel].
BTW, I will be out of town starting Friday, figure most people will at least be doing something this weekend.
Thanks for the help, and if I don't hear from you between know and then, type to you next week.

hi,

Ok. You can try this. Your start menu looks like this: See menu.png attachment,
The Dexclock folder as a example on my machine displays as empty when clicked.
If you double click one of the empty folders, in the menu.png screenshot example the folder is circled as Dexclock,
A window opens and is empty. See screenshot menu1.png showing the empty folder in explorer.
Keep this window open for now. Right click on start>explore and navigate to C:\Program Files and find the Deskclock folder, see screenshot menu2.png. showing the two windows opened together.
You can right click on the .exe file in C;\Program Files and drag/drop them into the Start Menu creating a short cut to the .exe. You could also drag/drop a shortcut to the desktop if its a app you use alot.
See screenshot menu3.png.
This will place a short cut in the start Menu. see screenshot4.png and you will be able to launch the app using the start>programs menu.

Shelflife,
Hope you had a good 4th. We were out of town all week, now paying the price at work.:sad:
Well, I tried as you suggested, and it will work or at least it seems to work.
Sure is going to be a long process. Hopefully I can find all the .exe files. I'll have to dig around and see if I can find them.
If you happen to think of anything else, let me know.
Thanks for the help.

hi,

Welcome back. You could just create the shortcuts for stuff you use the most. As far as I know we pretty much exhausted all the other possible fixes.

Another option would be to do a restore of Windows, not a system restore like we tried.

I assume you have a commercially purchased machine. These usually come with restore partitions or restore disks. It might be possible to do a restore back to factory conditions or a restore of Windows from the partition or a disk. These options I think would preserve your own documents etc you put on the computer. Not sure on that, I build my own and dont have much experience with restore disks and partitions. Probably varies anyway from vendor to vendor. Not talking about a reformat which would wipe your hard drive.

The best place to at least investigate this would be the computer vendors website. Most have very good information and guides. One thing you want to makes sure of is if the procedure will preserve your data. Iam sure they would recommend first backing up anything you didnt want to lose, just as a precaution, (this would be content you created like documents, pictures, video etc) before you started any procedure.